summaryrefslogtreecommitdiff
path: root/cmdline/apt-key.in
Commit message (Collapse)AuthorAgeFilesLines
* apt-key: change to / before find to satisfy its CWD needsDavid Kalnischkies2016-06-021-14/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First seen on hurd, but easily reproducible on all systems by removing the 'execution' bit from the current working directory and watching some tests (mostly the no-output expecting tests) fail due to find printing: "find: Failed to restore initial working directory: …" Samuel Thibault says in the bugreport: | To do its work, find first records the $PWD, then goes to | /etc/apt/trusted.gpg.d/ to find the files, and then goes back to $PWD. | | On Linux, getting $PWD from the 700 directory happens to work by luck | (POSIX says that getcwd can return [EACCES]: Search permission was denied | for the current directory, or read or search permission was denied for a | directory above the current directory in the file hierarchy). And going | back to $PWD fails, and thus find returns 1, but at least it emitted its | output. | | On Hurd, getting $PWD from the 700 directory fails, and find thus aborts | immediately, without emitting any output, and thus no keyring is found. | | So, to summarize, the issue is that since apt-get update runs find as a | non-root user, running it from a 700 directory breaks find. Solved as suggested by changing to '/' before running find, with some paranoia extra care taking to ensure the paths we give to find are really absolute paths first (they really should, but TMPDIR=. or a similar Dir::Etc::trustedparts setting could exist somewhere in the wild). The commit takes also the opportunity to make these lines slightly less error ignoring and the two find calls using (mostly) the same parameters. Thanks: Samuel Thibault for 'finding' the culprit! Closes: 826043
* apt-key: add \n to dpkg-query --show --showformatCarsten Hey2016-05-011-1/+1
| | | | | | | | | | Guarding against 'broken' greps not dealing with non-text inputs "just in case" by making the input text with a proper newline. [commit message by David Kalnischkies] Reported-On: IRC Git-Dch: Ignore
* warn if apt-key is run unconditionally in maintainerscriptDavid Kalnischkies2016-05-011-1/+14
| | | | | | | | We want to stop hard-depending on gnupg and for this it is essential that apt-key isn't used in any critical execution path, which maintainerscript are. Especially as it is likely that these script call apt-key either only for (potentially now outdated cleanup) or still not use the much simpler trusted.gpg.d infrastructure.
* add test for apt-key 0xKEY and use parameter expansionDavid Kalnischkies2016-03-061-1/+1
| | | | | | | | | Fixed in f7bd44bae0d7cb7f9838490b5eece075da83899e already, but the commit misses the Closes tag and while we are at it we can add a simple regression test and micro-optimize it a bit. Thanks: James McCoy for the suggestion. Closes: 816691
* apt-key del should correctly handle keyids prefixed with 0xDaniel Kahn Gillmor2016-03-041-0/+4
|
* avoid triggering gpg2 migration in apt-keyDavid Kalnischkies2015-12-191-15/+15
| | | | | | | | | | | | | | | | The presents (even of an empty) secring.gpg is indication enough for gpg2 to tigger the migration code which not only produces a bunch of output on each apt-key call, but also takes a while to complete as an agent needs to be started and all that. We workaround the first part by forcing the migration to happen always in a call we forced into silence, but that leaves us with an agent to start all the time – with a bit of reordering we can make it so that we do not explicitly create the secring, but let gpg create it if needed, which prevents the migration from being triggered and we have at least a bit less of a need for an agent. Changes - even to public only keyrings - still require one, but such actions are infrequent in comparison to verification calls, so that should be a net improvement.
* avoid evaluating shell in paths used in apt-keyDavid Kalnischkies2015-12-191-20/+24
| | | | | | | | | | | | apt-key creates internally a script (since ~1.1) which it will call to avoid dealing with an array of different options in the code itself, but while writing this script it wraps the values in "", which will cause the shell to evaluate its content upon execution. To make 'use' of this either set a absolute gpg command or TMPDIR to something as interesting as: "/tmp/This is fü\$\$ing cràzy, \$(man man | head -n1 | cut -d' ' -f1)\$!" If such paths can be encountered in reality is a different question…
* part revert, part redo 'which' replacementDavid Kalnischkies2015-12-071-7/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | In e75e5879 'replace "which" with "command -v" for portability' I missed that command -v isn't actually required to be available in debian, so for the 5 files we are using it: Two (abicheck/run_abi_test & test/integration/framework) are called in environments were I believe sh is at least dash or 'better' as the first one is "interactive" for apt developers and the later is sourced by ~200 tests in the same directory run by hand and ci-services – for the later we have pulled some uglier hacks for worser things already, so if there should actually end up needing something more compatible we will notice eventually (and the later actually had a command -v call for some time already and nobody came running). debian/rules and debian/apt.cron.daily I switched back to which as that is more or less debian-specific or at least highly non-critical. That leaves cmdline/apt-key.in with a bunch of calls where I will implement that functionality in shell as this is relatively short-lived as it is used to detect wget (for net-update, which Michael wants to revive and in that process will properly use apt-helper instead of wget) and to detect gpg vs. gpg2 systems, where the earlier is supposed to go away in the longrun (or the later, but by replacing the earlier…). [and this gpg/gpg2 detection is new in sid, so I have some sympathy for that being a problem now.] Thanks: Jakub Wilk for pointing out #747320
* replace run-parts with find|sort to avoid debianutils usageDavid Kalnischkies2015-12-061-1/+1
| | | | | | | After e75e5879 the reason for an implicit dependency on debianutils (which is essential for debian, but likely not on other systems) was just two uses of run-parts, which can be replaced with the a lot more portable find-piped-into-sort duo.
* replace "which" with "command -v" for portabilityDavid Kalnischkies2015-12-061-7/+7
| | | | | | | | which is a debian specific tool packaged in debianutils (essential) while command is a shell builtin defined by POSIX. Closes: 807144 Thanks: Mingye Wang for the suggestion.
* deal with spaces in path, command and filepaths in apt-keyDavid Kalnischkies2015-09-141-43/+61
| | | | | | | | Filenames we get could include spaces, but also the tmpdir we work in and the failures we print in return a very generic and unhelpful… Properly supporting spaces is a bit painful as we constructed gpg command before, which is now moved to (multilevel) calls to temporary scripts instead.
* fix various typos reported by codespellDavid Kalnischkies2015-08-271-1/+1
| | | | Reported-By: codespell
* merge keyrings with cat instead of gpg in apt-keyDavid Kalnischkies2015-08-101-42/+86
| | | | | | | | | | | | | | | | | | | If all keyrings are simple keyrings we can merge the keyrings with cat rather than doing a detour over gpg --export | --import (see #790665), which means 'apt-key verify' can do without gpg and just use gpgv as before the merging change. We declare this gpgv usage explicit now in the dependencies. This isn't a new dependency as gnupg as well as debian-archive-keyring depend on and we used it before unconditionally, just that we didn't declare it. The handling of the merged keyring needs to be slightly different as our merged keyring can end up containing the same key multiple times, but at least currently gpg does remove only the first occurrence with --delete-keys, so we move the handling to a if one is gone, all are gone rather than an (implicit) quid pro quo or even no effect. Thanks: Daniel Kahn Gillmor for the suggestion
* support gpg 2.1.x in apt-keyDavid Kalnischkies2015-08-101-25/+60
| | | | | | | | | | | | | | | | | | The output of gpg slightly changes in 2.1 which breaks the testcase, but the real problem is that this branch introduces a new default keyring format (which is called keybox) and mixing it with simple keyrings (the previous default format) has various problems like failing in the keybox to keyring import (#790665) or [older] gpgv versions not being able to deal with keyboxes (and newer versions as well currently: https://bugs.gnupg.org/gnupg/issue2025). We fix this by being a bit more careful in who creates keyrings (aka: we do it or we take a simple keyring as base) to ensure we always have a keyring instead of a keybox. This way we can ensure that any version combination of gpv/gpgv2 and gnupg/gnupg2 without doing explicit version checks and use the same code for all of them. Closes: 781042
* enhance apt-key debugging optionsDavid Kalnischkies2015-08-101-4/+15
| | | | | | | | | | It is sometimes handy to know how apt-key exactly called gpg, so adding a pair of options to be able to see this if wanted is added. Two are needed as some commands output is redirected to /dev/null, while sfor others stdout is piped into another gpg call so in both cases you wouldn't see all and hence you can choose. Git-Dch: Ignore
* implement Signed-By option for sources.listDavid Kalnischkies2015-08-101-3/+19
| | | | | | | | | | Limits which key(s) can be used to sign a repository. Not immensely useful from a security perspective all by itself, but if the user has additional measures in place to confine a repository (like pinning) an attacker who gets the key for such a repository is limited to its potential and can't use the key to sign its attacks for an other (maybe less limited) repository… (yes, this is as weak as it sounds, but having the capability might come in handy for implementing other stuff later).
* Merge branch 'debian/jessie' into debian/experimentalDavid Kalnischkies2015-04-191-1/+1
|\ | | | | | | | | | | | | | | | | Conflicts: apt-pkg/acquire-item.cc cmdline/apt-key.in methods/https.cc test/integration/test-apt-key test/integration/test-multiarch-foreign
| * keyids in "apt-key del" should be case-insensitiveDavid Kalnischkies2015-04-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | gnupg is case-insensitive about keyids, so back then apt-key called it directly any keyid was accepted, but now that we work more with the keyid ourself we regressed to require uppercase keyids by accident. This is also inconsistent with other apt-key commands which still use gnupg directly. A single case-insensitive grep and we are fine again. Closes: 781696
| * support long keyids in "apt-key del" instead of ignoring themJames McCoy2014-11-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | apt-key given a long keyid reports just "OK" all the time, but doesn't delete the mentioned key as it doesn't find the key. Note: In debian/experimental this was closed with 29f1b977100aeb6d6ebd38923eeb7a623e264ffe which just added the testcase as the rewrite of apt-key had fixed this as well. Closes: 754436
* | test if TMPDIR is accessible before usingDavid Kalnischkies2014-10-201-2/+6
| | | | | | | | | | | | | | | | | | | | Private temporary directories as created by e.g. libpam-tmpdir are nice, but they are also very effective in preventing our priviledge dropping to work as TMPDIR will be set to a directory only root has access to, so working with it as _apt will fail. We circumvent this by extending our check for a usable TMPDIR setting by checking access rights. Closes: 765951
* | Test if TMPDIR is a directory in apt-key and if not unset itMichael Vogt2014-09-291-0/+3
| | | | | | | | | | This prevents a failure in mktemp -d - it will blindly trust TMPDIR and not use something else if the dir is not there.
* | add and use 'apt-key verify' which prefers gpgv over gpgDavid Kalnischkies2014-09-271-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | gnupg/gnupg2 can do verify just fine of course, so we don't need to use gpgv here, but it is what we always used in the past, so there might be scripts expecting a certain output and more importantly the output of apt-cdrom contains messages from gpg and even with all the settings we activate to prevent it, it still shows (in some versions) a quiet scary: "gpg: WARNING: Using untrusted key!" message. Keeping the use of gpgv is the simplest way to prevent it. We are increasing also the "Breaks: apt" version from libapt as it requires a newer apt-key than might be installed in partial upgrades.
* | miscellaneous small cleanups in apt-keyDavid Kalnischkies2014-09-271-17/+7
| | | | | | | | Git-Dch: Ignore
* | add --readonly option for apt-key advDavid Kalnischkies2014-09-271-5/+4
| | | | | | | | | | | | | | | | Some advanced commands can be executed without the keyring being modified like --verify, so this adds an option to disable the mergeback and uses it for our gpg calling code. Git-Dch: Ignore
* | use only one --keyring in gpg interactionsDavid Kalnischkies2014-09-271-28/+77
| | | | | | | | | | | | | | | | | | We were down to at most two keyrings before, but gnupg upstream plans dropping support for multiple keyrings in the longrun, so with a single keyring we hope to be future proof – and 'apt-key adv' isn't a problem anymore as every change to the keys is merged back, so we have now the same behavior as before, but support an unlimited amount of trusted.gpg.d keyrings.
* | add --secret-keyring option for apt-keyDavid Kalnischkies2014-09-271-0/+11
| | | | | | | | | | | | | | | | | | For some advanced usecases it might be handy to specify the secret keyring to be used (e.g. as it is used in the testcases), but specifying it via a normal option for gnupg might not be available forever: http://lists.gnupg.org/pipermail/gnupg-users/2013-August/047180.html Git-Dch: Ignore
* | allow to specify fingerprints in 'apt-key del'David Kalnischkies2014-09-271-4/+17
| |
* | add a test for apt-key export{,all}David Kalnischkies2014-09-271-2/+2
| | | | | | | | Git-Dch: Ignore
* | respect --keyring also in merged keyring commandsDavid Kalnischkies2014-09-271-8/+10
| | | | | | | | Git-Dch: Ignore
* | support gnupg2 as drop-in replacement for gnupgDavid Kalnischkies2014-09-271-4/+13
| | | | | | | | | | | | If both are available APT will still prefer gpg over gpg2 as it is a bit more lightweight, but it shouldn't be a problem to use one or the other (at least at the moment, who knows what will happen in the future).
* | delay gnupg setup in apt-key until it is neededDavid Kalnischkies2014-09-271-22/+22
| | | | | | | | | | | | 'apt-key help' and incorrect usage do not need a functioning gnupg setup, as well as we shouldn't try to setup gnupg before we actually test if it is available (and print a message if it is not).
* | merge fragment keyrings in apt-key to avoid hitting gpg limitsDavid Kalnischkies2014-09-271-57/+77
| | | | | | | | | | | | | | | | | | | | | | | | | | | | gnupg has a hardlimit of 40 (at the moment) keyrings per invocation, which can be exceeded with (many) repositories. That is rather misfortune as the longrun goal was to drop gnupg dependency at some point in the future, but this can now be considered missed and dropped. It also means that 'apt-key adv' commands might not have the behaviour one would expect it to have as it mainly operates on a big temporary keyring, so commands modifying keys will break. Doing this was never a good idea anyway through, so lets just hope nothing break too badly. Closes: 733028
* | refactor key removal code to reuse it in next stepDavid Kalnischkies2014-09-271-48/+55
| | | | | | | | Git-Dch: Ignore
* | set a primary-keyring only if we have access to itDavid Kalnischkies2014-09-271-1/+3
| |
* | support (multiple) arguments properly in apt-keyDavid Kalnischkies2014-09-271-27/+27
| |
* | only create new trusted.gpg if directory is writeableDavid Kalnischkies2014-09-271-23/+14
| |
* | all errors should be printed to stderrDavid Kalnischkies2014-09-271-5/+5
| | | | | | | | Git-Dch: Ignore
* | add a (hidden) --quiet option for apt-keyDavid Kalnischkies2014-09-271-4/+10
| |
* | remove leftover debug output from multikey softlinkDavid Kalnischkies2014-09-271-1/+0
|/ | | | Git-Dch: Ignore
* Fix typos in documentation (codespell)Michael Vogt2014-02-221-2/+2
|
* use gpg --homedir instead of explicit file placementDavid Kalnischkies2014-01-161-13/+14
| | | | | | Avoids that gpg gets the idea it could use files from the user which weren't overridden specifically like secret keyring and trustdb as before.
* fix apt-key net-update test to use the buildin webserverMichael Vogt2013-12-191-1/+1
|
* make apt-key net-update actually testableMichael Vogt2013-12-131-6/+13
|
* generate apt-key script with vendor info about keysDavid Kalnischkies2013-12-011-0/+354
The apt-key script uses quiet a few keyring files for operation which are specific to the distribution it is build on and is hence one of the most patched parts – even if it is not that often used anymore now that a fragment directory for trusted.gpg exists.